B4J Question [ Jserver ] have a way to protect informations like : node's environment variables ??

Waldemar Lima

Well-Known Member
Licensed User
Longtime User
hello, I would like to protect some private information from firebase ( firebaseConfig ) for web, is there any feature in Jserver that helps to protect information like: apiKey, authDomain, databaseURL, projectId and the like?

using NodeJs , you can use environment variables (.env) to secure this information. is there any solution for b4j ?
 
Sort by date Sort by votes

jahswant

Well-Known Member
Licensed User
Longtime User
Check out the jRDC2 project. You will find a config.properties file. You can use something similar and all your keys will be private.
 
Upvote 0

EnriqueGonzalez

Well-Known Member
Licensed User
Longtime User
enviroment variables are an OS property not an app one, So you can use enviroment variables too with:

B4X: 
    GetEnvironmentVariable("key","default")
 
Last edited:
Upvote 0

Waldemar Lima

Well-Known Member
Licensed User
Longtime User
Sorry, I don't think I explained it clearly...?
I need to hide the firebase information on the client side, Similar to this tutorial in REACT.

but I would like a way to protect information in Front using jserver
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
Waldemar Lima said:
I need to hide the firebase information on the client side, Similar to this tutorial in REACT.
Click to expand...
The solution in the link is to use Environmentvariables on the Serverside. You already got told that you can use
B4X: 
GetEnvironmentVariable("key","default")
to get a Environmentvariable from within your jserver.

This is exactly the same as in your tutorial about React.

In fact you alread have the solution useable in b4j.

So where is the problem actually?
 
Last edited:
Upvote 0

EnriqueGonzalez

Well-Known Member
Licensed User
Longtime User
Waldemar Lima said:
Sorry, I don't think I explained it clearly...
Click to expand...
i think i agree with don manfred here. may be its not clear for you how the enviroment variables work.

Waldemar Lima said:
client side
Click to expand...
if by client side you mean the browser then you can store cookies, the semi correct implementation is to encrypt those cookies with any encryption library and send it. The correct implementation is that the cookie is just a pointer to the real information on your server.

if you mean client side refering to jserver on your vps (completly incorrect), then the line i sent is the same as the one nodejs uses.
 
Upvote 0

Waldemar Lima

Well-Known Member
Licensed User
Longtime User
DonManfred said:
So where is the problem actually?
Click to expand...

Well, I'll explain in practice how it is:

I have the firebase.js file that is loaded in the index.html page.

index.html: 
<!DOCTYPE html>
<html lang="pt-BR">
<head>
  <meta charset="UTF-8">
  <title>TodoList</title>
  <link rel="shortcut icon" href="img/todoListFavicon.png" type="image/x-icon">
  <link rel="stylesheet" href="css/styles.css">
</head>
<body>
  <div id="app">
    <!--Logotipo do TodoList-->
    <div class="center">
      <img src="img/todoList.png">
    </div>

    <!--Feedback de carregamento (loading)-->
    <div id="loading">
      <img src="img/loading.gif" alt="Animação de carregamento">
    </div>

    <!--Conteúdo destinado para usuários não autenticados-->
    <div id="auth" class="center">
      <!--Formulário de autenticação-->
      <form id="authForm">
        <h3 id="authFormTitle">Acesse a sua conta para continuar</h3>

        <label for="email">E-mail: </label>
        <input type="email" placeholder="E-mail" id="email">

        <label for="password">Senha: </label>
        <input type="password" placeholder="Senha" id="password">

        <button type="submit" id="submitAuthForm">Acessar</button>
      </form>

      <!--Alternar o fomulário de autenticação para o cadastro de novas contas-->
      <p id="register">
        Não possui uma conta?
        <button onclick="toggleToRegister()" class="alternative">Cadastrar uma nova conta</button>
      </p>

      <!--Alternar o fomulário de autenticação para o acesso de contas já existentes-->
      <p id="access" class="startHidden">
        Já possui uma conta?
        <button onclick="toggleToAccess()" class="alternative">Acesse a sua conta</button>
      </p>
    </div>
  </div>

  <!--Recursos do Firebase-->
  <script src="https://www.gstatic.com/firebasejs/7.8.1/firebase-app.js"></script>
  <script src="https://www.gstatic.com/firebasejs/7.8.1/firebase-auth.js"></script>

 
  <!-- LOADING FIREBASE.JS BELOW -->
  <script src="js/firebase.js"></script>
  <script src="js/utils.js"></script>
  <script src="js/auth.js"></script>
</body>
</html>

firebase.js is where the "public" access settings for the firebase project .
but I would like to hide this information, even if it is "public", because in the documentation itself it is said that it is recommended to hide the information.

the information below is just an example of what I would like to hide.
firebase.js: 
// Your web app's Firebase configuration

var firebaseConfig = {

  apiKey: "AIzaSyCvEv7AropwWlIEC-w5c3JgprOPxjA8-kM", // b4j_env("myapikey")

  authDomain: "todolist-84473.firebaseapp.com", // b4j_env("myauthdomain")

  databaseURL: "https://todolist-84473.firebaseio.com", // b4j_env("dburl")

  projectId: "todolist-84473", // b4j_env("myprojid")

  storageBucket: "todolist-84473.appspot.com", // b4j_env("....")

  messagingSenderId: "1009074245486", // b4j_env("....")

  appId: "1:1009074245486:web:f573ce9d33c653b28ebb7f" // b4j_env("....")

};

// Initialize Firebase

firebase.initializeApp(firebaseConfig);
 
Upvote 0

tchart

Well-Known Member
Licensed User
Longtime User
You are using a client side library firebase.js - nothing to do with jserver.

The documentation doesn’t list an options to obscure or encrypt the details when initialising. If you were to do anything you would need to do it on the client side before you called the library - so kind of pointless since someone could just use developer tools to see the decrypted settings anyway.

Usually with API keys you would limit access to a specific url or up address. I don’t have experience with firebase but many apis have this feature. So even if someone had the api key they can’t use it.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

L
  • Question
B4J Question [B4JServer] Could not locate b4xV5.ini … [ERROR]: missing the html files.
Replies
1
Views
1K
LJG
L
  • Question
B4J Question [Solved][BANano] Odd <br> handling
Replies
4
Views
2K
alwaysbusy
A
  • Article
Share My Creation [B4X] Server Room Environment solution using Wemos / ESP8266
Replies
1
Views
3K
Erel
L
  • Question
B4J Question [abmaterial] Is it jserver's bug?,I'm not sure.
Replies
5
Views
2K
alwaysbusy
  • Question
B4J Question ComboBox, How to insert nodes with cell factory
Replies
4
Views
6K
jmon
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…